C
C#2y ago
grandpaK420

❔ SSL inside AWS EC2

Hello everyone, I am having issues with SSL. I bought a certificate from Sectigo (which I believe is a trusted CA), but when I connected the ssl certificate to nginx and to my nestjs app inside aws ec2, I am having a 'connection not secured'. How to solve this issue? Thanks Here is the nginx config: 
server {
    listen 443 ssl;
    server_name app.blinkcard.io;

    ssl_certificate /etc/nginx/ssl/blinkcard.io.crt;
    ssl_certificate_key /etc/nginx/ssl/blinkcard.io.key;
    ssl_trusted_certificate /etc/nginx/ssl/blinkcard.io.ca-bundle;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    #add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;

    location ~* ^/.env {
        deny all;
    }

    location / {
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
server {
    listen 443 ssl;
    server_name app.blinkcard.io;

    ssl_certificate /etc/nginx/ssl/blinkcard.io.crt;
    ssl_certificate_key /etc/nginx/ssl/blinkcard.io.key;
    ssl_trusted_certificate /etc/nginx/ssl/blinkcard.io.ca-bundle;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    #add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;

    location ~* ^/.env {
        deny all;
    }

    location / {
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
23 Replies
JakenVeina
JakenVeina2y ago
how/where are you getting that error?
jcotton42
jcotton422y ago
(you also got ripped off, SSL certs are free these days via Let's Encrypt) (I believe AWS has an SSL cert provisioning thing as well)
JakenVeina
JakenVeina2y ago
an SSL cert signed by a public root CA?
jcotton42
jcotton422y ago
seemingly yes https://aws.amazon.com/certificate-manager/
Amazon Web Services, Inc.
Certificate Manager - AWS Certificate Manager - AWS
AWS Certificate Manager helps you provision, manage, and deploy public and private SSL/TLS certificates with AWS services and your internal connected resources.
khamas
khamas2y ago
did you connect to the site via HTTPS? (and not HTTP) also SSL certs are free
JakenVeina
JakenVeina2y ago
SSL certs signed by a globally-trusted root CA?
jcotton42
jcotton422y ago
Let's Encrypt
JakenVeina
JakenVeina2y ago
so, like if everyone can get one doesn't that dilute the trust of the whole system? that was always my understanding of why it used to be expensive
jcotton42
jcotton422y ago
Let's Encrypt only issues DV (domain validation) certificates not EV certs, which also verify the identity of the person or org behind the site
JakenVeina
JakenVeina2y ago
okay TIL I have some certs to go make tonight
jcotton42
jcotton422y ago
EV having a price tag makes sense because you need to actually verify the paperwork being sent to you but DV can be done in an entirely automatic fashion, via the various ACME challenges
JakenVeina
JakenVeina2y ago
ah, okay so you have to be able to prove you own a particular domain name, then you can get a cert for it
jcotton42
jcotton422y ago
yes there's a couple challenges for this the HTTP challenge involves serving a particular string from a particular path on your server (you're given the string to serve when starting the challenge)
JakenVeina
JakenVeina2y ago
yeah
jcotton42
jcotton422y ago
the DNS challenge has you add a particular TXT record to your DNS records (handy for non-HTTP scenarios, or for sites not publicly reachable) I think there might be some others as well
Want results from more Discord servers?
Add your server